Commit b8673bb9 authored by Jay Satiro's avatar Jay Satiro
Browse files

openssl: Fix verification of server-sent legacy intermediates 

- Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates.

Prior to this change server-sent legacy intermediates with missing
legacy issuers would cause verification to fail even if the client's CA
bundle contained a valid replacement for the intermediate and an
alternate chain could be constructed that would verify successfully.

https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
parent 8f479144

lib/vtls/openssl.c

+14 −0
Original line number Diff line number Diff line
@@ -2013,6 +2013,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) 
          data->set.str[STRING_SSL_CRLFILE]: "none");

  }



  /* Try building a chain using issuers in the trusted store first to avoid

  problems with server-sent legacy intermediates.

  Newer versions of OpenSSL do alternate chain checking by default which

  gives us the same fix without as much of a performance hit (slight), so we

  prefer that if available.

  https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest

  */

#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)

  if(data->set.ssl.verifypeer) {

    X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),

                         X509_V_FLAG_TRUSTED_FIRST);

  }

#endif



  /* SSL always tries to verify the peer, this only says whether it should

   * fail to connect if the verification fails, or if it should continue

   * anyway. In the latter case the result of the verification is checked with